import {
  Body,
  Controller,
  ForbiddenException,
  Get,
  HttpCode,
  HttpStatus,
  Param,
  ParseBoolPipe,
  ParseIntPipe,
  Patch,
  Post,
  Put,
  Query,
  Request,
  UseGuards,
} from "@nestjs/common";
import {
  ApiBearerAuth,
  ApiOperation,
  ApiResponse,
  ApiTags,
} from "@nestjs/swagger";
import { AuthService } from "./auth.service";
import { CreateUserDto } from "./dto/create-user.dto";
import { LoginDto } from "./dto/login.dto";
import { RefreshTokenDto } from "./dto/refresh-token.dto";
import { UpdateUserDto } from "./dto/update-user.dto";
import { UserRole } from "./entities/usuario.entity";
import { JwtAuthGuard } from "./guards/jwt-auth.guard";

@ApiTags("auth")
@Controller("auth")
export class AuthController {
  constructor(private readonly authService: AuthService) {}

  private ensureCanManageUsers(req: any) {
    const rol = req?.user?.rol;
    if (rol !== UserRole.SUPER_ADMIN && rol !== UserRole.ADMIN) {
      throw new ForbiddenException(
        "No tienes permisos para gestionar usuarios",
      );
    }
  }

  @Post("login")
  @HttpCode(HttpStatus.OK)
  @ApiOperation({ summary: "Iniciar sesión" })
  @ApiResponse({ status: 200, description: "Login exitoso" })
  @ApiResponse({ status: 401, description: "Credenciales inválidas" })
  async login(@Body() loginDto: LoginDto) {
    return this.authService.login(loginDto);
  }

  @Post("refresh")
  @HttpCode(HttpStatus.OK)
  @ApiOperation({ summary: "Renovar token de acceso" })
  @ApiResponse({ status: 200, description: "Token renovado" })
  @ApiResponse({ status: 401, description: "Token inválido" })
  async refresh(@Body() refreshTokenDto: RefreshTokenDto) {
    return this.authService.refreshToken(refreshTokenDto.refreshToken);
  }

  @Get("me")
  @UseGuards(JwtAuthGuard)
  @ApiBearerAuth()
  @ApiOperation({ summary: "Obtener perfil del usuario actual" })
  @ApiResponse({ status: 200, description: "Perfil del usuario" })
  async getProfile(@Request() req: any) {
    return this.authService.getProfile(req.user.id);
  }

  @Get("users")
  @UseGuards(JwtAuthGuard)
  @ApiBearerAuth()
  @ApiOperation({ summary: "Listar usuarios del sistema" })
  async listUsers(@Request() req: any) {
    this.ensureCanManageUsers(req);
    return this.authService.listUsers();
  }

  @Post("users")
  @UseGuards(JwtAuthGuard)
  @ApiBearerAuth()
  @ApiOperation({ summary: "Crear usuario" })
  async createUser(@Body() dto: CreateUserDto, @Request() req: any) {
    this.ensureCanManageUsers(req);
    return this.authService.createUser(dto);
  }

  @Put("users/:id")
  @UseGuards(JwtAuthGuard)
  @ApiBearerAuth()
  @ApiOperation({ summary: "Actualizar usuario" })
  async updateUser(
    @Param("id", ParseIntPipe) id: number,
    @Body() dto: UpdateUserDto,
    @Request() req: any,
  ) {
    this.ensureCanManageUsers(req);
    return this.authService.updateUser(id, dto);
  }

  @Patch("users/:id/activo")
  @UseGuards(JwtAuthGuard)
  @ApiBearerAuth()
  @ApiOperation({ summary: "Activar/Desactivar usuario" })
  async setActive(
    @Param("id", ParseIntPipe) id: number,
    @Query("value", ParseBoolPipe) value: boolean,
    @Request() req: any,
  ) {
    this.ensureCanManageUsers(req);
    return this.authService.setUserActive(id, value);
  }

  @Post("logout")
  @UseGuards(JwtAuthGuard)
  @ApiBearerAuth()
  @HttpCode(HttpStatus.OK)
  @ApiOperation({ summary: "Cerrar sesión" })
  async logout() {
    return { message: "Sesión cerrada exitosamente" };
  }
}